The Evolution of Self-Defense Technologies in Malware

This article explores how malware has developed self-defense techniques and how these techniques have evolved as it has become more difficult for viruses to survive. It also provides an overview of the current situation.

Do you think that malware could update itself via the internet like an anti-virus scanner to continually avoid detection. So theoretically by the time signatures are released by an AV vendor, the malware has already installed a newer version of itself and is not detected.

Do you think that malware could update itself via the internet like an anti-virus scanner to continually avoid detection. So theoretically by the time signatures are released by an AV vendor, the malware has already installed a newer version of itself and is not detected.

Just some thoughts ... Nothing serious.

Click to expand...

This is already happening. Some folks call it "server-side polymorphism"
The botnet operator distributes new pieces of malware when his/her initial creations begin to appear in the radar of AV vendors.

This is already happening. Some folks call it "server-side polymorphism"
The botnet operator distributes new pieces of malware when his/her initial creations begin to appear in the radar of AV vendors.

Click to expand...

Just one of the reasons a PC should be disconnected from the Net when an infection is first discovered and kept in that state until it is clean. I, IMO, do not see this suggested enough when recommendations are made on cleaning one up. It sure is not a cure all and can even tend to complicate things a bit, but it sure would not hurt either.

This is already happening. Some folks call it "server-side polymorphism"
The botnet operator distributes new pieces of malware when his/her initial creations begin to appear in the radar of AV vendors.

Click to expand...

Just one of the reasons a PC should be disconnected from the Net when an infection is first discovered and kept in that state until it is clean. I, IMO, do not see this suggested enough when recommendations are made on cleaning one up. It sure is not a cure all and can even tend to complicate things a bit, but it sure would not hurt either.

Click to expand...

If one were to take that action whenever a new exploit or infection appeared, they'd be disconnected all the time. There's also a substantial amount of time that passes from when new malicious code is released until it's discovered by security-ware vendors or an attentive user. Even if a person did that every time a new exploit or threat was discovered, they're still online and exposed to that threat for a period of time. It could be minutes, hours, days, or even more.

The vast majority of malicious code still requires some action on the part of the user in order to compromise their PC, be it opening something, clicking something, visiting a compromised site, etc. Very little malicious code has been able to infect a PC just because it's connected. Most of that could be defeated with a firewall.

The scenario lucas1985 describes doesn't really affect the average user, unless that users PC is already compromised by malware from that person. Once a PC is compromised by a trojan or rootkit, the malware's owner can pretty much do as they please with that PC, including as lucas describes, updating that malware to avoid detection.

Regarding the article itself, it's overly optimistic, almost to the point of sounding like war propaganda. It might apply to simple viruses but not malicious code as a whole. If malware is having such a difficult time surviving, botnets wouldn't be growing so large that they can kill companies or take an entire nation offline. I doubt that they attack security-ware because they're desperate. The conventional security-ware vendors are the ones getting desperate and the malware writers can taste it. Would Microsoft be trying to lock malware out of the kernel if it was a dying threat? Would we have this proliferation of sandbox, HIPS, virtualization, frozen snapshot, etc programs if there wasn't a need for them?

If the battle were as simple as code vs code or malware vs security-ware, we'd have a stalemate. When looking at it from an overall perspective, each side gets their small victories in battles, but the overall war is a draw, until you factor in the user and his data. The percentage of users that know nothing about internet security has never been higher. While much of the better security-ware can deal with most threats, most of it needs some help from the user. If nothing else, it needs some semi-intelligent behavior and decision making from the user so the security apps aren't put into situations that are no-win, situations like trying to control the damage malware might do when the user lets it run. When the average users knowlege is compared to what they really need to know in order to be reasonably safe online, the gap has never been bigger. A lot of people still look at you like you're slightly crazy if you use the term "Spyware." The concept of "common sense" isn't enough to address todays reality.

More than everything else put together, what's really changed is the cost of failure. It wasn't that long ago that a user could get a virus, have an AV remove it and be right back where they started. It doesn't work that way anymore. Nowadays, it's just as likely that the malware will try to remove or kill the AV. Malicious code is harder to detect and harder to remove. The average user can't just instruct the AV to remove a rootkit like it used to with a simple virus. I question if any security-ware will ever be able to completely remove a well written rootkit. Without the right tools and the knowlege to use them or a complete reformatting, an infection can be almost permanent. When they start attacking the BIOS and other firmware, how bad will it get? Visualize a BIOS rootkit with the ability to defend itself.

The average user doesn't have the tools installed to deal with the nastier threats or the knowlege to use them. Removing a keylogger doesn't recover the money stolen from your accounts or get back the e-mail addys of your friends, family, co-workers, etc which the malware author is now targeting. Old style viruses didn't encrypt your data and hold it for ransome. How costly could one of those get if they found the right target?

Malware writers have never had so much code they could target. At around 15GB, how many potential vulnerabilities are there in Vista? How many internet-able apps are installed on the average users PC? Malware has never had so many potential targets to choose from.

I can't see how malware writers could be considered to be in a desperate position. Those with the knowlege and tools to defend themselves will be OK. If anyone is desperate, it's the average user and those who try to defend them in spite of themselves.
Rick